Apache Tomcat: Trailer header parsing too lenient
Description
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.
Older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcatMaven | >= 11.0.0-M1, < 11.0.0-M12 | 11.0.0-M12 |
org.apache.tomcat:tomcatMaven | >= 10.1.0-M1, < 10.1.14 | 10.1.14 |
org.apache.tomcat:tomcatMaven | >= 9.0.0-M1, < 9.0.81 | 9.0.81 |
org.apache.tomcat:tomcatMaven | >= 8.5.0, < 8.5.94 | 8.5.94 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 11.0.0-M1, < 11.0.0-M12 | 11.0.0-M12 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 10.1.0-M1, < 10.1.14 | 10.1.14 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 9.0.0-M1, < 9.0.81 | 9.0.81 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 8.5.0, < 8.5.94 | 8.5.94 |
org.apache.tomcat:tomcat-coyoteMaven | >= 11.0.0-M1, < 11.0.0-M12 | 11.0.0-M12 |
org.apache.tomcat:tomcat-coyoteMaven | >= 10.1.0-M1, < 10.1.14 | 10.1.14 |
org.apache.tomcat:tomcat-coyoteMaven | >= 9.0.0-M1, < 9.0.81 | 9.0.81 |
org.apache.tomcat:tomcat-coyoteMaven | >= 8.5.0, < 8.5.94 | 8.5.94 |
Affected products
33- osv-coords32 versionspkg:bitnami/tomcatpkg:maven/org.apache.tomcat.embed/tomcat-embed-corepkg:maven/org.apache.tomcat/tomcatpkg:maven/org.apache.tomcat/tomcat-coyotepkg:rpm/almalinux/tomcatpkg:rpm/almalinux/tomcat-admin-webappspkg:rpm/almalinux/tomcat-docs-webapppkg:rpm/almalinux/tomcat-el-3.0-apipkg:rpm/almalinux/tomcat-jsp-2.3-apipkg:rpm/almalinux/tomcat-libpkg:rpm/almalinux/tomcat-servlet-4.0-apipkg:rpm/almalinux/tomcat-webappspkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Manager%20Server%204.3
>= 8.5.0, < 8.5.94+ 31 more
- (no CPE)range: >= 8.5.0, < 8.5.94
- (no CPE)range: >= 11.0.0-M1, < 11.0.0-M12
- (no CPE)range: >= 11.0.0-M1, < 11.0.0-M12
- (no CPE)range: >= 11.0.0-M1, < 11.0.0-M12
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.82-2.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.36-150100.4.98.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.36-3.111.1
- (no CPE)range: < 9.0.36-150100.4.98.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.36-3.111.1
- (no CPE)range: < 9.0.36-150100.4.98.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- Apache Software Foundation/Apache Tomcatv5Range: 11.0.0-M1
Patches
Vulnerability mechanics
References
12- github.com/advisories/GHSA-r6j3-px5g-cq3xghsaADVISORY
- lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdpghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-45648ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/10/10/10ghsaWEB
- github.com/apache/tomcat/commit/59583245639d8c42ae0009f4a4a70464d3ea70a0ghsaWEB
- github.com/apache/tomcat/commit/8ecff306507be8e4fd3adee1ae5de1ea6661a8f4ghsaWEB
- github.com/apache/tomcat/commit/c83fe47725f7ae9ae213568d9039171124fb7ec6ghsaWEB
- github.com/apache/tomcat/commit/eb5c094e5560764cda436362254997511a3ca1f6ghsaWEB
- lists.debian.org/debian-lts-announce/2023/10/msg00020.htmlghsaWEB
- security.netapp.com/advisory/ntap-20231103-0007ghsaWEB
- www.debian.org/security/2023/dsa-5521ghsaWEB
- www.debian.org/security/2023/dsa-5522ghsaWEB
News mentions
0No linked articles in our index yet.